{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-4335", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-05T15:32:04.904Z", "datePublished": "2025-05-07T01:43:08.149Z", "dateUpdated": "2025-05-07T14:03:12.337Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-07T01:43:08.149Z"}, "affected": [{"vendor": "n3wnormal", "product": "Woocommerce Multiple Addresses", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.0.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."}], "title": "Woocommerce Multiple Addresses <= 1.0.7.1 - Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95e74e70-9dc9-4e63-b371-fd2a38692907?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-multiple-addresses/trunk/class-woocommerce-multiple-addresses.php#L522"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "timeline": [{"time": "2025-05-06T13:28:35.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:46:15.887563Z", "id": "CVE-2025-4335", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T14:03:12.337Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-07T13:46:15.887563Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:46:17.854Z"}}], "cna": {"title": "Woocommerce Multiple Addresses <= 1.0.7.1 - Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "n3wnormal", "product": "Woocommerce Multiple Addresses", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-06T13:28:35.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95e74e70-9dc9-4e63-b371-fd2a38692907?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-multiple-addresses/trunk/class-woocommerce-multiple-addresses.php#L522"}], "descriptions": [{"lang": "en", "value": "The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-07T01:43:08.149Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4335", "state": "PUBLISHED", "dateUpdated": "2025-05-07T14:03:12.337Z", "dateReserved": "2025-05-05T15:32:04.904Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-07T01:43:08.149Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."}, {"lang": "es", "value": "El complemento WooCommerce Multiple Addresses para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 1.0.7.1 incluida. Esto se debe a restricciones insuficientes en los metadatos de usuario, que se pueden actualizar mediante la funci\u00f3n save_multiple_shipping_addresses(). Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eleven sus privilegios a los de administrador."}], "id": "CVE-2025-4335", "lastModified": "2025-05-07T14:13:20.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-05-07T03:15:19.370", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-multiple-addresses/trunk/class-woocommerce-multiple-addresses.php#L522"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95e74e70-9dc9-4e63-b371-fd2a38692907?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}